hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jian He (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-3855) If acl is enabled and http.authentication.type is simple, user cannot view the app page in default setup
Date Fri, 26 Jun 2015 02:39:04 GMT

    [ https://issues.apache.org/jira/browse/YARN-3855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14602295#comment-14602295
] 

Jian He edited comment on YARN-3855 at 6/26/15 2:38 AM:
--------------------------------------------------------

bq. This is a misconfiguration, plain and simple.
we do see some use cases that people want their cluster secure but not the web UI. people
do not bother doing kinit before launching the browser. If cluster is setup in this particular
way which is by default, there's no way to browse the applications other than restarting the
daemon and change configs which is too inconvenient. Given that the filter is already always
added in non-secure mode, I think it's fine to add the filter when http is simple, which is
what ATS is currently doing.


was (Author: jianhe):
bq. This is a misconfiguration, plain and simple.
we do see some use cases that people want their cluster secure but not the web UI. people
do not bother doing kinit before launching the browser. If cluster is setup in this particular
way which is by default, there's no way to browse the applications other than restarting the
daemon and change configs which is too inconvenient. Given that the filter is also added in
non-secure mode, I think it's also fine to add in secure mode.

> If acl is enabled and http.authentication.type is simple, user cannot view the app page
in default setup
> --------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-3855
>                 URL: https://issues.apache.org/jira/browse/YARN-3855
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3855.1.patch
>
>
> If all ACLs (admin acl, queue-admin-acls etc.) are setup properly and "http.authentication.type"
is 'simple' in secure mode , user cannot view the application web page in default setup because
the incoming user is always considered as "dr.who" . User also cannot pass "user.name" to
indicate the incoming user name, because AuthenticationFilterInitializer is not enabled by
default. This is inconvenient from user's perspective. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message